The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive (ED 24-01) following the widespread and active exploitation of vulnerabilities in two affected VPN products. The multiple vulnerabilities—five of which were disclosed in the last month alone—include authentication bypass, command injection, privilege escalation, and a server-side request forgery in the SAML component. Ed 24-01 instructs federal agencies to shut down, threat hunt adjacent systems, and remove vulnerable VPN solutions until they can be properly mitigated. Agencies are also required to perform additional forensic analysis and clean-up steps.
According to CISA, while both affected products have since been patched, the exploitation of the vulnerabilities found in these products could allow a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems. CISA has determined that this poses an unacceptable level of risk to Federal Civilian Executive Branch (FCEB) agencies, therefore requiring this emergency action.
This move underscores the inherent risk of relying on VPN technologies for accessing privileged systems or business critical environments and the critical need for robust security measures in the face of evolving cyber threats. Read on for insights into the threat posed by traditional VPNs and the modern technology that can help you release your dependence on VPN technology to better safeguard your organization against future threats.
The inherent risk of traditional VPN technology
While VPNs do a good job of controlling access to anything at an IP address level, they are notoriously difficult to configure for granular access. They often end up granting broad network access instead of specific, controlled access. This assumes the trustworthiness of anyone inside the VPN—including third parties and vendors, office guests, and anyone who manages to compromise a VPN entry point. It also means your organization’s security is only as good as that of the external endpoint you are allowing to tunnel into your environment.
Anyone who is granted access to an organization’s network via a VPN is given direct, unfettered access to the large portions of a network. This leaves gaping vulnerabilities for malicious players to exploit and poses broad risks that could allow extensive lateral movement if exploited.
Examining the VPN breach of Global Affairs Canada
VPNs have become a significant target for threat actors who know that, if they can breach a VPN, they often no longer have to worry about traditional security controls, such as firewalls. As a result, we’ve seen a significant increase in cases of VPN vulnerabilities being exploited in major business and government breaches in recent years. Just last month, Global Affairs Canada (GAC) reported a massive, month-long security breach affecting multiple government employees, several of which were instructed to stop working remotely as a result of the breach. The GAC breach resulted from a compromised VPN employees used to access GAC's Ottawa headquarters.
The affected VPN was managed by Shared Services Canada, a federal department created in 2011 to take over the delivery of email, data centers, and network services for many government departments and agencies.
The scope and impact of the breach is still under investigation, but initial investigations suggest that GAC’s internal systems were vulnerable between December 20, 2023 and January 24, 2024, and any employees who connected remotely using a SIGNET (Secure Integrated Global Network) laptop may have had their information exposed. SIGNET is the department’s secure computer network, which holds both personal employee information and classified information. It is not yet clear whether secret information was lost in the breach, or who was behind the breach.
How to get ahead of the next breach: secure your organization with Privileged Remote Access
With cyberattacks becoming increasingly sophisticated, and with threat actors able to dedicate advancing resources and technologies to the research of vulnerabilities, organizations must be proactive in mitigating risks. It is important to note that the CISA directive emphasizes the importance of swift action to address the vulnerabilities in the affected VPN solutions, and based on the advisory, the remediation may be just as laborious as deploying a new solution.
If your organization is in this situation, in lieu of redeploying the same solution, consider a new technology that can solve a myriad of remote access use cases in a much more secure way.
BeyondTrust Privileged Remote Access (PRA) is a modern identity-secure access solution that empowers teams with exactly the access they need to cloud and on-prem resources without the need for a VPN. Internal, remote, or vendor access to business systems is enabled only for the specific assets needed by an authorized user and only for the time they need it. Unlike traditional VPNs, which provide broad access to networks and all the resources hosted on them, Privileged Remote Access offers a point-to-point solution to creating just-in-time access for RDP, SSH, Kubernetes, Databases, proxied web browser capabilities (HTTPS), and even cloud platform consoles. A real zero trust, no standing privileges, approach powered by Privileged Remote Access means you no longer need to sacrifice security to achieve your business goals.
Network tunneling: the new and secure alternative to VPNs
Privileged Remote Access version 24.1 continues to build on the identity security access capabilities that already make it a perfect alternative to VPN technology, including the addition of Privileged Remote Access Network Tunneling.
A traditional VPN provides anyone who accesses it direct, unfettered access to your entire network, leaving gaping vulnerabilities for malicious players to exploit. It’s like giving every guest that checks into a hotel a key card that works on every single room. Network tunneling enables the granular control of access to every system individually, spanning from cloud IT to on-premises factory devices.
Network tunneling allows users to solve for use cases—including operational technology (OT), Internet of Things (IoT), and anything built on programmable logic controller (PLC) devices—by combining User Datagram Protocol (UDP) and Layer 3 tunneling with point-to-point granularity of access based on identity. This eliminates all the security loopholes and risks that are currently introduced by traditional VPNs. To continue the analogy, those requiring access won’t just not have access to the other hotel rooms—they won’t even be allowed to see the doors of the rooms they don’t have access to.
The new feature combines the most useful parts of VPNs (the ability to control access at an IP level) with the identity-based access capabilities of Privileged Remote Access (SSO, MFA, full sessions logging and auditing, end-to-end encryption, and more) to extend beyond the limitations of traditional VPNs. As a result, users will have access to a modern and identity-secure approach to access that traditional VPNs are currently incapable of providing.
This new approach to providing better-than-VPN-style access significantly limits the attack surface area relative to what is experienced in a breach that impacts VPN technology. This means limited access that is more granular, fully monitored and logged, and implemented in an identity secure way.
Why choose Privileged Remote Access for identity secure cloud and on-prem access?
It is becoming more and more evident that relying on VPNs is simply inviting trouble into your network. Privileged Remote Access introduces a better way to create secure access for your systems and networks.
Here are the top benefits of choosing Privileged Remote Access as your robust access solution:
- Support for all systems - Privileged Remote Access is designed to consolidate access to any kind of system your business runs on—from cloud apps, servers, and containers to machines on the factory floor—from a single pane of glass. Secure, controlled access for cloud accounts is just as easy as it is for on-prem accounts, and vice versa.
- Access created only when required – Privileged Access Management enforces a zero standing privileges secure access framework by only creating access when it’s needed, for precisely what is needed, and only for how long it’s needed. Granting access just-in-time means you remove the attack surface area of permanent access while remaining dynamic enough to not interrupt the work of your teams.
- Credentials remain a secret – Privileged Remote Access uses a credential injection approach, which means credentials are never even available directly to users or their devices. This removes the most common scenarios that can result in compromised credentials and ensures only authorized identities can access systems.
- Passwords follow system hardening best practices – Privileged Remote Access’s Vault automatically expires and rotates credentials. Credentials can be scheduled to rotate after a set amount of time, so old passwords are no longer useful. They can also be manually rotated on demand, whenever security situations necessitate it.
- Cloud certificates are virtually un-stealable – Privileged Remote Access uses SSH Certificate Authority to issue identity-specific, short-lived certificates that expire immediately after use. These certificates ensure security for your cloud service accounts. Because they don’t live beyond their initial access use, even if they are stolen, they would serve no purpose to a threat actor and would not grant unauthorized access to the environment.
- Sessions are monitored for threat activity – Privileged Remote Access helps ensure that no malicious or harmful activities can take place in your critical infrastructure with automated session logging and monitoring for every single user access session. This feature also offers the ability to tie into threat detection systems and terminate suspicious activity immediately.
In the world of cybersecurity, remote workers, and advanced networking technology, staying ahead of vulnerabilities is the difference between reporting a breach or sleeping well at night. The CISA advisory underscores the critical importance of addressing vulnerabilities in software products to mitigate cyber threats effectively. BeyondTrust Privileged Remote Access emerges as a compelling alternative to traditional VPNs, offering enhanced security features and granular access controls. By adopting Privileged Remote Access, organizations can bolster their cybersecurity defenses, ensure operational continuity in an increasingly hostile digital environment, and achieve new goals, like Zero Trust.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12 year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
Emily Wang, Product Marketing Manager
Emily Wang is a Product Marketing Manager at BeyondTrust for Privileged Remote Access and Remote Support. Prior to joining BeyondTrust, she worked in a variety of product marketing and product management roles at Visa, as well as fintech and software startups. In these roles, she owned the go-to-market strategy for products such as tap-to-pay and the simplification of buying insurance online. Emily is passionate about making technical concepts accessible to all and is enthusiastic about demystifying cybersecurity.